POPULARITY
In this episode of Life of a CISO, Dr. Eric Cole shines a spotlight on a critical blind spot that many Chief Information Security Officers overlook: legal liability. While CISOs are often highly skilled and technically knowledgeable, it's what they don't know—particularly about their legal exposure—that can put them at serious risk. Dr. Cole explains that many CISOs hold the title of “chief” without realizing they may not officially be corporate officers, and that distinction matters. If you are considered a true officer of the company, you may be personally liable for failures or breaches, even if you weren't the root cause. He urges CISOs to ask the right questions during negotiations, ensure they understand their official role, and protect themselves with legal counsel and proper insurance coverage. He goes on to emphasize the importance of understanding how communication becomes evidence at the executive level. In today's digital world, emails and text messages are no longer just conversations—they are legal records that can be used for or against you. Dr. Cole discusses how even a lack of written documentation can lead to lawsuits or termination if it's perceived that a CISO failed to inform the board about a critical risk. However, over-documenting can also backfire by making colleagues uncomfortable or wary. This delicate balance between transparency and discretion is a key leadership skill every CISO must develop. Ultimately, this episode is a wake-up call to every cybersecurity leader: the higher you rise, the more you must be aware of the legal and personal implications of your role.
We hit a milestone today as this is our 50th Podcast Episode! A Big thank you to You, our listeners for your continued support!* Kali Linux Users Face Update Issues After Repository Signing Key Loss* CISOs Advised to Secure Personal Protections Against Scapegoating and Whistleblowing Risks* WhatsApp Launches Advanced Chat Privacy to Safeguard Sensitive Conversations* Samsung Confirms Security Vulnerability in Galaxy Devices That Could Expose Passwords* Former Disney Menu Manager Sentenced to 3 Years for Malicious System AttacksKali Linux Users Face Update Issues After Repository Signing Key Losshttps://www.kali.org/blog/new-kali-archive-signing-key/Offensive Security has announced that Kali Linux users will need to manually install a new repository signing key following the loss of the previous key. Without this update, users will experience system update failures.The company recently lost access to the old repository signing key (ED444FF07D8D0BF6) and had to create a new one (ED65462EC8D5E4C5), which has been signed by Kali Linux developers using signatures on the Ubuntu OpenPGP key server. OffSec emphasized that the key wasn't compromised, so the old one remains in the keyring.Users attempting to update their systems with the old key will encounter error messages stating "Missing key 827C8569F2518CC677FECA1AED65462EC8D5E4C5, which is needed to verify signature."To address this issue, the Kali Linux repository was frozen on February 18th. "In the coming day(s), pretty much every Kali system out there will fail to update," OffSec warned. "This is not only you, this is for everyone, and this is entirely our fault."To avoid update failures, users are advised to manually download and install the new repository signing key by running the command: sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpgFor users unwilling to manually update the keyring, OffSec recommends reinstalling Kali using images that include the updated keyring.This isn't the first time Kali Linux users have faced such issues. A similar incident occurred in February 2018 when developers allowed the GPG key to expire, also requiring manual updates from users.CISOs Advised to Secure Personal Protections Against Scapegoating and Whistleblowing Riskshttps://path.rsaconference.com/flow/rsac/us25/FullAgenda/page/catalog/session/1727392520218001o5wvhttps://www.theregister.com/2025/04/28/ciso_rsa_whistleblowing/Chief Information Security Officers should negotiate personal liability insurance and golden parachute agreements when starting new roles to protect themselves in case of organizational conflicts, according to a panel of security experts at the RSA Conference.During a session on CISO whistleblowing, experienced security leaders shared cautionary tales and strategic advice for navigating the increasingly precarious position that has earned the role the nickname "chief scapegoat officer" in some organizations.Dd Budiharto, former CISO at Marathon Oil and Philips 66, revealed she was once fired for refusing to approve fraudulent invoices for work that wasn't delivered. "I'm proud to say I've been fired for not being willing to compromise my integrity," she stated. Despite losing her position, Budiharto chose not to pursue legal action against her former employer, a decision the panel unanimously supported as wise to avoid industry blacklisting.Andrew Wilder, CISO of veterinarian network Vetcor, emphasized that security executives should insist on two critical insurance policies before accepting new positions: directors and officers insurance (D&O) and personal legal liability insurance (PLLI). "You want to have personal legal liability insurance that covers you, not while you are an officer of an organization, but after you leave the organization as well," Wilder advised.Wilder referenced the case of former Uber CISO Joe Sullivan, noting that Sullivan's Uber-provided PLLI covered PR costs during his legal proceedings following a data breach cover-up. He also stressed the importance of negotiating severance packages to ensure whistleblowing decisions can be made on ethical rather than financial grounds.The panelists agreed that thorough documentation is essential for CISOs. Herman Brown, CIO for San Francisco's District Attorney's Office, recommended documenting all conversations and decisions. "Email is a great form of documentation that doesn't just stand for 'electronic mail,' it also stands for 'evidential mail,'" he noted.Security leaders were warned to be particularly careful about going to the press with complaints, which the panel suggested could result in even worse professional consequences than legal action. Similarly, Budiharto cautioned against trusting internal human resources departments or ethics panels, reminding attendees that HR ultimately works to protect the company, not individual employees.The panel underscored that proper governance, documentation, and clear communication with leadership about shared security responsibilities are essential practices for CISOs navigating the complex political and ethical challenges of their role.WhatsApp Launches Advanced Chat Privacy to Safeguard Sensitive Conversationshttps://blog.whatsapp.com/introducing-advanced-chat-privacyWhatsApp has rolled out a new "Advanced Chat Privacy" feature designed to provide users with enhanced protection for sensitive information shared in both private and group conversations.The new privacy option, accessible by tapping on a chat name, aims to prevent the unauthorized extraction of media and conversation content. "Today we're introducing our latest layer for privacy called 'Advanced Chat Privacy.' This new setting available in both chats and groups helps prevent others from taking content outside of WhatsApp for when you may want extra privacy," WhatsApp announced in its release.When enabled, the feature blocks other users from exporting chat histories, automatically downloading media to their devices, and using messages for AI features. According to WhatsApp, this ensures "everyone in the chat has greater confidence that no one can take what is being said outside the chat."The company noted that this initial version is now available to all users who have updated to the latest version of the app, with plans to strengthen the feature with additional protections in the future. However, WhatsApp acknowledges that certain vulnerabilities remain, such as the possibility of someone photographing a conversation screen even when screenshots are blocked.This latest privacy enhancement continues WhatsApp's long-standing commitment to user security, which began nearly seven years ago with the introduction of end-to-end encryption. The platform has steadily expanded its privacy capabilities since then, implementing end-to-end encrypted chat backups for iOS and Android in October 2021, followed by default disappearing messages for new chats in December of the same year.More recent security updates include chat locking with password or fingerprint protection, a Secret Code feature to hide locked chats, and location hiding during calls by routing connections through WhatsApp's servers. Since October 2024, the platform has also encrypted contact databases for privacy-preserving synchronization.Meta reported in early 2020 that WhatsApp serves more than two billion users across over 180 countries, making these privacy enhancements significant for a substantial portion of the global messaging community.Samsung Confirms Security Vulnerability in Galaxy Devices That Could Expose Passwordshttps://us.community.samsung.com/t5/Suggestions/Implement-Auto-Delete-Clipboard-History-to-Prevent-Sensitive/m-p/3200743Samsung has acknowledged a significant security flaw in its Galaxy devices that potentially exposes user passwords and other sensitive information stored in the clipboard.The issue was brought to light by a user identified as "OicitrapDraz" who posted concerns on Samsung's community forum on April 14. "I copy passwords from my password manager all the time," the user wrote. "How is it that Samsung's clipboard saves everything in plain text with no expiration? That's a huge security issue."In response, Samsung confirmed the vulnerability, stating: "We understand your concerns regarding clipboard behavior and how it may affect sensitive content. Clipboard history in One UI is managed at the system level." The company added that the user's "suggestion for more control over clipboard data—such as auto-clear or exclusion options—has been noted and shared with the appropriate team for consideration."One UI is Samsung's customized version of Android that runs on Galaxy smartphones and tablets. The security flaw means that sensitive information copied to the clipboard remains accessible in plain text without any automatic expiration or encryption.As a temporary solution, Samsung recommended that users "manually clear clipboard history when needed and use secure input methods for sensitive information." This stopgap measure puts the burden of security on users rather than providing a system-level fix.Security experts are particularly concerned now that this vulnerability has been publicly acknowledged, as it creates a potential "clipboard wormhole" that attackers could exploit to access passwords and other confidential information on affected devices. Users of Samsung Galaxy devices are advised to exercise extreme caution when copying sensitive information until a more comprehensive solution is implemented.Former Disney Menu Manager Sentenced to 3 Years for Malicious System Attackshttps://www.theregister.com/2025/04/29/former_disney_employee_jailed/A former Disney employee has received a 36-month prison sentence and been ordered to pay nearly $688,000 in fines after pleading guilty to sabotaging the entertainment giant's restaurant menu systems following his termination.Michael Scheuer, a Winter Garden, Florida resident who previously served as Disney's Menu Production Manager, was arrested in October and charged with violating the Computer Fraud and Abuse Act (CFAA) and committing aggravated identity theft. He accepted a plea agreement in January, with sentencing finalized last week in federal court in Orlando.According to court documents, Scheuer's June 13, 2024 termination from Disney for misconduct was described as "contentious and not amicable." In July, he retaliated by making unauthorized access to Disney's Menu Creator application, hosted by a third-party vendor in Minnesota, and implementing various destructive changes.The attacks included replacing Disney's themed fonts with Wingdings, rendering menus unreadable, and altering menu images and background files to display as blank white pages. These changes propagated throughout the database, making the Menu Creator system inoperable for one to two weeks. The damage was so severe that Disney has since abandoned the application entirely.Particularly concerning were Scheuer's alterations to allergen information, falsely indicating certain menu items were safe for people with specific allergies—changes that "could have had fatal consequences depending on the type and severity of a customer's allergy," according to the plea agreement. He also modified wine region labels to reference locations of mass shootings, added swastika graphics, and altered QR codes to direct customers to a website promoting a boycott of Israel.Scheuer employed multiple methods to conduct his attacks, including using an administrative account via a Mullvad VPN, exploiting a URL-based contractor access mechanism, and targeting SFTP servers that stored menu files. He also conducted denial of service attacks that made over 100,000 incorrect login attempts, locking out fourteen Disney employees from their enterprise accounts.The FBI executed a search warrant at Scheuer's residence on September 23, 2024, at which point the attacks immediately ceased. Agents discovered virtual machines used for the attacks and a "doxxing file" containing personal information on five Disney employees and a family member of one worker.Following his prison term, Scheuer will undergo three years of supervised release with various conditions, including a prohibition on contacting Disney or any of the individual victims. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com
In the latest episode of Life of a CISO, Dr. Eric Cole addresses a critical issue faced by many Chief Information Security Officers: the tendency to focus on treating symptoms rather than identifying and addressing the root causes of security problems. He emphasizes that many CISOs find themselves merely reacting to incidents rather than proactively preventing them, resulting in a reactive cybersecurity culture. Dr. Cole discusses how executives often view CISOs more as Chief Incident Response Officers, content with existing security measures and waiting for issues to arise, so they have someone to blame in the event of a data breach. He critiques this mindset, highlighting the importance of using data to drive decisions rather than emotions, which can distort reality and hinder effective problem-solving. This episode serves as a reminder for security leaders to focus on strategic communication and proactive risk management in order to foster a more resilient cybersecurity posture.
Welcome to the Data Security Decoded podcast, brought to you by Rubrik Zero Labs. In each installment, we discuss cybersecurity with thought leaders and industry experts, and get their take on trends, themes, and where they see the sector going next. This is a must-listen for security and IT leaders looking to better understand trends shaping data security and how they can achieve cyber resilience. In this episode, our guest host, Rick Bryant, Field CTO for Healthcare at Rubrik, is joined by Anahi Santiago, Chief Information Security Officer at ChristianaCare, a healthcare organization centered on improving health outcomes, making high-quality care more accessible, and lowering health care costs. She is also a Member Board of Directors at Health-ISAC (Health Information Sharing and Analysis Center), a global, non-profit, member-driven organization where health sector stakeholders coordinate, collaborate and share vital physical and cyber threat intelligence and best practices with each other. Anahi serves as an Advisory Council Member at CISO ExecNet, a peer-to-peer learning community for Chief Information Security Officers. Join Rick and Anahi as they explore the challenges facing healthcare cybersecurity, the need for regulatory frameworks, and the role of information sharing in improving security measures. Episode Highlights: 00:00 - Intro 02:13 - Anahi's introduction to cybersecurity 04:11 - The most pressing issues facing healthcare systems 05:47 - Risk management 07:41 - Managing data growth 11:21 - Fostering a culture of cybersecurity awareness 14:47 - Organizational resiliency 19:28 - The next five years 24:47 - More regulations vs better enforcement of existing regulations
On this week's Technology Report, Mark Montgomery, a retired US Navy rear admiral who is now the senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies and the executive director of the Cyber Solarium 2.0 project, discusses the Biden administrations four new documents — National Security Memorandum 22, the International Cyber Strategy, the Cyber Posture Review, and the second version of the implementation plan — the House Armed Services Committee chairman's marks to the cyber elements of the National Defense Authorization Act and the Senate's sentiment on cyber priorities, concern by cyber firms that the administration's drive to hold Chief Information Security Officers personally responsible for lapses, and how the battle against Russian and Chinese disinformation is being lost with Defense & Aerospace Report Editor Vago Muradian.
In this episode of "Life of a CSO," Dr. Eric Cole emphasizes the critical importance of understanding both business and cybersecurity for aspiring or current Chief Information Security Officers. Dr. Cole underscores that effective CISOs must possess a deep understanding of business operations, financial management, and cybersecurity principles. He explains how these two domains intersect, enabling CISOs to become strategic leaders who use cybersecurity as a tool to drive business growth and protect organizational assets. Throughout the episode, Dr. Cole provides insights into key concepts such as capital and operational expenses, profitability, and business valuation, empowering listeners to adopt a strategic mindset essential for success in the cybersecurity field.
Got a chance to discuss about Data Security with two of my favs, James Beecham, Founder and CEO ALTR, and Sanjeev Mohan, Principal, SanjMO. Our enlightening discussion delved into crucial aspects of the evolving data security landscape. Here's what we discussed -- 1. Emphasizing ALTR's Data Security Platform: James Beecham shared how ALTR's platform is uniquely positioned to tackle today's data security challenges. 2. CDO and CISO Convergence: Exploring the increasing collaboration between Chief Data Officers and Chief Information Security Officers in crafting robust data governance strategies. 3. Vendor Agnosticism: A key discussion point was ALTR's commitment to category and vendor neutrality, ensuring broad applicability and integration capabilities. 4. Responding to Market Needs: Insights on how ALTR is staying ahead of the curve in addressing emerging data security trends and requirements. 5. The Challenges of Policy Creation: The conversation also highlighted the complexities and time-consuming nature of policy creation in data security. Stay tuned for more as we continue to explore these vital themes in data security and thought leadership! #data #datasecurity #ai #gartnerorlando #theravitshow
Dive into the evolving world of cybersecurity with the Identity Jedi Show Podcast, where industry experts dissect the changing role of security leaders. Episode 11 features Thomas Donnelly, who shares his seasoned insights on the strategic shifts crucial for today's CISOs. - Understand why soft skills are now the superpower for advancing a career in security and compliance, as emphasized by Thomas and our hosts. - Learn how security should be woven into the business foundation, creating an organizational culture that prioritizes these values. - Discover the necessity of open dialogues, community support, and the embracing of diverse backgrounds for effective identity security. - Gain perspective on the important shift from technical execution to strategic influence for Chief Information Security Officers, including their engagement with broader organizational goals. - Explore the real-world challenges that CISOs face, from justifying cybersecurity budgets to tactfully adding value across departments and securing buy-in for non-traditional leadership approaches. --- Send in a voice message: https://podcasters.spotify.com/pod/show/identityjedishow/message
Host: Deb RadcliffOn ITSPmagazine
In the latest episode of "Life of a CISO" by Dr. Eric Cole, titled "Becoming A CISO," he delves into the critical mindset required for aspiring and current Chief Information Security Officers. Dr. Cole emphasizes the power of belief in shaping one's success. He highlights that accomplishment stems from conviction: believing you can achieve a goal significantly increases the probability of success. He dissects the common misconception that a CISO's role is primarily technical, stressing that it's a strategic business position focused on driving growth and success while leveraging cybersecurity as a strategic weapon. Dr. Cole provides valuable advice, debunking myths about the transition to a CISO role, stressing the need for strategic thinking over technical expertise. He encourages individuals to introspect, ensuring alignment between their aspirations, skills, and the actual responsibilities of a CISO. Ultimately, he guides aspiring CISOs on rewriting their self-narrative, crafting their CVs, and steering interviews towards showcasing strategic thinking, setting a clear path toward becoming a world-class CISO.
Dr. Eric Cole's latest episode of "Life of a CISO" delves into the importance of reflection and gratitude in a cybersecurity professional's journey. He highlights the tendency to focus on the next challenge without acknowledging past achievements. Dr. Cole emphasizes the value of appreciating accomplishments and the need to strike a balance between aiming higher and acknowledging current successes. Moreover, he reminds CISOs not to overlook the core essence of cybersecurity, urging them to maintain a strong cybersecurity foundation while embracing their role as Chief Information Security Officers. He underscores the significance of understanding and communicating cybersecurity risks to executives, encouraging a shift in perspective towards cybersecurity as a business enabler rather than just an overhead function. Dr. Cole concludes by outlining three key aspects: accepting the inevitability of risk, establishing a clear risk posture, and prioritizing critical data protection in organizational security strategies.
Guest: Dr. Valerie Lyons, AuthorOn Linkedin | https://www.linkedin.com/in/valerielyons-privsec/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsImperva | https://itspm.ag/imperva277117988Pentera | https://itspm.ag/penteri67a___________________________Episode NotesIn this episode of the Redefining Cybersecurity podcast, host Sean Martin engages in a conversation with Dr. Valerie Lyons, co-author of "The Privacy Leader Compass." They discuss various aspects of privacy and provide practical guidance for privacy leaders. Dr. Lyons highlights the regulatory difference between the US and Europe's approach to privacy, with data minimization being a regulatory requirement in Europe. However, she emphasizes that it's not about which approach is better, but rather understanding and complying with the regulatory requirements. They delve into the principles of Fair Information Practices (FIPS) and privacy by design, which are enshrined in GDPR. "The Privacy Leader Compass" is designed to be a comprehensive resource for privacy leaders, incorporating the McKinsey seven S model. It goes beyond compliance, incorporating ethics, trust, and consumer satisfaction in privacy programs. The book is intended to be location and jurisdiction agnostic, allowing privacy leaders to adapt the framework to their specific contexts. The conversation also highlights the value of learning from privacy pioneers and leveraging their experiences. The book includes contributions from over 60 privacy pioneers, providing real-world examples and insights. Dr. Lyons emphasizes the importance of collaboration and learning from others' experiences rather than starting from scratch. They discuss the flexible interpretation within privacy legislation, such as the choice between appointing a Data Protection Officer (DPO) or a Chief Privacy Officer (CPO). They stress the importance of developing a privacy strategy and vision, regardless of the jurisdiction, and exploring why privacy leaders were hired for their roles. Throughout the conversation, Dr. Lyons and Sean Martin present a balanced perspective, focusing on practical guidance and empowering privacy leaders. They explore the dynamic nature of privacy and the need to go beyond compliance, considering ethics, trust, and consumer satisfaction. The conversation is grounded in real-world experiences and provides valuable insights for privacy leaders navigating the ever-changing privacy landscape.About the BookCongratulations! Perhaps you have been appointed as the Chief Privacy Officer (CPO) or the Data Protection Officer (DPO) for your company. Or maybe you are an experienced CPO/DPO, and you wonder - "what can I learn from other successful privacy experts to be even more effective?" Or perhaps you are considering a move from a different career path and deciding if this is the right direction for you.Seasoned award-winning Privacy and Cybersecurity leaders Dr. Valerie Lyons (Dublin, Ireland) and Todd Fitzgerald (Chicago, IL USA) have teamed up with over 60 award-winning CPOs, DPOs, highly respected privacy/data protection leaders, data protection authorities, and privacy standard setters who have fought the tough battle.Just as the #1 best-selling and CANON Cybersecurity Hall of Fame winning CISO Compass: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers book provided actionable advice to Chief Information Security Officers, The Privacy Leader Compass is about straight talk - delivering a comprehensive privacy roadmap applied to, and organized by, a time-tested organizational effectiveness model (the McKinsey 7-S Framework) with practical, insightful stories and lessons learned.You own your continued success as a privacy leader. If you want a roadmap to build, lead, and sustain a program respected and supported by your board, management, organization, and peers, this book is for you.____________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
Innovation comes in many areas and compliance professionals need to not only be ready for it but embrace it. One of those areas is telehealth and telemedicine. My guest in this episode is Igor Volovich, the Vice President of Compliance Strategy at Qmulos. Igor Volovich, a cybersecurity expert affiliated with Qmulos, brings a unique perspective to the table regarding the importance of executive accountability and proactive risk governance in cybersecurity. Volovich emphasizes the crucial role that executives play in ensuring compliance, controls, and security posture decisions, and criticizes the current model of firing and hiring Chief Information Security Officers as ineffective. He believes that risk governance should be a holistic business function, rather than separate departments handling different types of risks, and encourages boards of directors to question and challenge reports on compliance and risk posture. Drawing from his extensive experience and deep understanding of the field, Volovich advocates for a real-time convergence of compliance, security, and risk management. Join Tom Fox and Igor Volovich on this episode of the Innovation in Compliance podcast to delve deeper into these insights. Key Highlights · Maintaining Compliance Integrity through Executive Accountability · Misrepresentation of Compliance in Penn State · Moving Towards Data-Driven, Risk-Based Compliance · Data-Driven Risk Management for True Compliance · Incentivized Whistleblowing and Cybersecurity Accountability · Elevating Risk Governance for Effective Cybersecurity · Real-Time Compliance and Data-Driven Automation Resources: Igor Volovich on LinkedIn Qmulos Tom Instagram Facebook YouTube Twitter LinkedIn
Guest: Dr. Valerie Lyons, AuthorOn Linkedin | https://www.linkedin.com/in/valerielyons-privsec/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsImperva | https://itspm.ag/imperva277117988Pentera | https://itspm.ag/penteri67a___________________________Episode NotesIn this episode of the Redefining Cybersecurity podcast, host Sean Martin engages in a conversation with Dr. Valerie Lyons, co-author of "The Privacy Leader Compass." They discuss various aspects of privacy and provide practical guidance for privacy leaders.Dr. Lyons highlights the regulatory difference between the US and Europe's approach to privacy, with data minimization being a regulatory requirement in Europe. However, she emphasizes that it's not about which approach is better, but rather understanding and complying with the regulatory requirements. They delve into the principles of Fair Information Practices (FIPS) and privacy by design, which are enshrined in GDPR."The Privacy Leader Compass" is designed to be a comprehensive resource for privacy leaders, incorporating the McKinsey seven S model. It goes beyond compliance, incorporating ethics, trust, and consumer satisfaction in privacy programs. The book is intended to be location and jurisdiction agnostic, allowing privacy leaders to adapt the framework to their specific contexts.The conversation also highlights the value of learning from privacy pioneers and leveraging their experiences. The book includes contributions from over 60 privacy pioneers, providing real-world examples and insights. Dr. Lyons emphasizes the importance of collaboration and learning from others' experiences rather than starting from scratch.They discuss the flexible interpretation within privacy legislation, such as the choice between appointing a Data Protection Officer (DPO) or a Chief Privacy Officer (CPO). They stress the importance of developing a privacy strategy and vision, regardless of the jurisdiction, and exploring why privacy leaders were hired for their roles.Throughout the conversation, Dr. Lyons and Sean Martin present a balanced perspective, focusing on practical guidance and empowering privacy leaders. They explore the dynamic nature of privacy and the need to go beyond compliance, considering ethics, trust, and consumer satisfaction. The conversation is grounded in real-world experiences and provides valuable insights for privacy leaders navigating the ever-changing privacy landscape.About the BookCongratulations! Perhaps you have been appointed as the Chief Privacy Officer (CPO) or the Data Protection Officer (DPO) for your company. Or maybe you are an experienced CPO/DPO, and you wonder - "what can I learn from other successful privacy experts to be even more effective?" Or perhaps you are considering a move from a different career path and deciding if this is the right direction for you.Seasoned award-winning Privacy and Cybersecurity leaders Dr. Valerie Lyons (Dublin, Ireland) and Todd Fitzgerald (Chicago, IL USA) have teamed up with over 60 award-winning CPOs, DPOs, highly respected privacy/data protection leaders, data protection authorities, and privacy standard setters who have fought the tough battle.Just as the #1 best-selling and CANON Cybersecurity Hall of Fame winning CISO Compass: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers book provided actionable advice to Chief Information Security Officers, The Privacy Leader Compass is about straight talk - delivering a comprehensive privacy roadmap applied to, and organized by, a time-tested organizational effectiveness model (the McKinsey 7-S Framework) with practical, insightful stories and lessons learned.You own your continued success as a privacy leader. If you want a roadmap to build, lead, and sustain a program respected and supported by your board, management, organization, and peers, this book is for you.____________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
Promise to learn and a personal story: "You're about to unlock the complexities of cybersecurity and the CISSP certification, a sought-after credential in our industry. Walking you through this journey is me, your host Sean Gerber, sharing my two-decade-long adventure navigating the ever-evolving landscape of cyber warfare."Painting a vivid picture of the cybersecurity landscape, we delve into the increasing involvement of hacktivists in geopolitical conflicts. We dissect the industry roles from Information Security Analysts, security consultants to Chief Information Security Officers, outlining their duties and scopes. The pivotal role of CISSP certification, its extensive security topics and best practices is explored in-depth to equip you with the knowledge needed to ace it. It's a dynamic, fast-paced episode that leaves no stone unturned - we've got everything from the technical aspects of security systems engineering to the skills required to be a successful security architect. Brace yourself for a deep dive into the world of cybersecurity, a journey that promises to be as enlightening as it is exciting.Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.
In this episode of CHATTINN CYBER, Marc Schein interviews James Kim, the Vice President and Director of Cybersecurity Strategies and Programs at City National Bank in Florida, about the roles and responsibilities of a cybersecurity professional, leveling up into a CISO (Chief Information Security Officer) role, and managing cybersecurity risks in an organization. James begins by discussing his path to his current position, attributing his success to luck, ambition, and grit. He started as a help desk technician at a bank and worked his way up over the years, focusing on risk management and developing business acumen. He realized that there was a gap between the technical aspects of cybersecurity and business, which led him to focus on improving the relationship between the two areas. He believes that this focus on developing relationships and maintaining partnerships is critical to his role and cybersecurity more broadly. James's day-to-day responsibilities involve incident reviews, working with governance, risk and compliance teams, reviewing policies and controls, managing projects, and tracking various initiatives. He enjoys the variety of tasks and the opportunity to work across the entire spectrum of cybersecurity, including governance, risk and compliance, security architecture, identity and access management, and business continuity and vendor risk management. James discusses the future of the CISO role and where he sees himself in five years. He believes that the CISO role will continue to expand in prominence, with more emphasis on managing cybersecurity risks for the organization. He concludes the conversation by advising young professionals interested in cybersecurity to know the many different aspects of the field, including governance, risk and compliance programs, cybersecurity auditing, and security engineering and analysis. He also stresses the importance of work-life balance, given the challenging and stressful nature of the work. Highlights: “We all have similar responsibilities around maintaining a robust information security or cybersecurity program, ensuring that we have proper processes, procedures in place to report incidents; and at the end of the day, having the appropriate safeguards in place to protect client information or patient information.” “If you've been kind of following along with current events, I feel that within the next five years, the CISO role will continue to expand and gain more prevalence with management and the board.” Time-Stamps: [00:50] How did James get into cybersecurity? [02:38] James's day-to-day responsibilities as a security operations manager. [04:04] Working across the entire spectrum of cybersecurity. [06:06] Where do you see the Ceo role in five years? [08:07] How to promote awareness internally and externally within the organization. [10:13] Advice for young professionals trying to enter cybersecurity. [12:14] Challenges in the future of cybersecurity. Connect with James: LinkedIn: https://www.linkedin.com/in/james7kim/
Embracing the 'not if, but when' mindset.Cybersecurity solutions provider Trellix recently unveiled their 2023 Voice of the CISO report. Among other topics, it explored the top 5 challenges cited by Chief Information Security Officers who responded to the Trellix survey. In order, they included:Too many different sources of information.A growing attack surface created by remote workers, increasingly complex supply chains and other social and business factors.Changing regulatory mandates.Difficulties retaining and recruiting staff with the necessary security skills.A lack of buy-in from other parts of the company.These results not only help shine a light on the universal complications of defending IT and OT environments, but the importance of having such conversations in the light of day. Proactive measures and universal support needs to be a priority in order to accurately respond to the evolving regulatory and business continuity efforts that surround industrial cybersecurity.Joining us to discuss these and other topics is Karan Sondhi, Trellix's Chief Technology Officer. Trellix is a leading provider of Extended Detection and Response strategies.To catch up on past episodes, you can go to Manufacturing.net, IEN.com or MBTmag.com. You can also check Security Breach out wherever you get your podcasts, including Apple, Amazon and Overcast. And if you have a cybersecurity story or topic that you'd like to have us explore on Security Breach, you can reach me at jeff@ien.com.To download our latest report on industrial cybersecurity, The Industrial Sector's New Battlefield, click here.
Why cybersecurity is all about ROI, and other "unsexy" stuff on which to build your defenses.In previous episodes of Security Breach, we've discussed penetration testing, ethical hackers, cataloging connection points, and getting a handle on all those API connections.These strategies are centered on developing defenses that reduce your attack surface, make attackers easier to spot, negate the dwell time of black hats looking to live inside your networks, and hopefully much more.While obtaining all this data is critical, the next challenge is understanding what to do with it in forming a stronger cyber defense plan. This is where it gets tricky.A lack of OT security expertise continues to permeate throughout the industrial sector. Throw in some cloudy and somewhat limited regulatory guidance, and knowing exactly what steps industrial cybersecurity leaders should take after getting all this data is even more complex.Our guest for this episode not only understands these dynamics, but confronts them on a daily basis. Brian Haugli is a former CSO and cybersecurity leader for the Pentagon, as well as professor of Cybersecurity at Boston College. He currently serves as the CEO of SideChannel, a cybersecurity services firm that offers risk assessments, virtual Chief Information Security Officers, and more.We're excited to announce that Security Breach is being sponsored by Rockwell Automation. For more information on their cybersecurity solutions, you can go to rockwellautomation.com.To catch up on past episodes, you can go to Manufacturing.net, IEN.com or MBTmag.com. You can also check Security Breach out wherever you get your podcasts, including Apple, Amazon and Overcast. And if you have a cybersecurity story or topic that you'd like to have us explore on Security Breach, you can reach me at jeff@ien.comTo download our latest report on industrial cybersecurity, The Industrial Sector's New Battlefield, click here.
This Their Story podcast episode features Chris Pierson, the co-founder of BlackCloak as Marco Ciappelli and Sean Martin discuss into the importance of relationships and human empathy in the cybersecurity field, as well as the challenges of cutting through the noise in the industry. Chris Pierson presents the importance of protecting corporate executives and their personal lives, devices, and homes, ultimately ensuring their peace of mind. The trio explore the significance of human relationships in the cybersecurity industry, emphasizing the need for trust and understanding between vendors and clients. They also highlight the importance of human empathy in developing cybersecurity products and services that address the unique needs of different users. They also discuss the challenges of balancing privacy and security, while also considering the unique needs of clients in different sectors.Pierson also unveils BlackCloak's latest innovation – the CISO Protection Dashboard. This powerful tool helps Chief Information Security Officers and their teams gain valuable insights into the digital lives of their executives.Don't miss out on this informative and thought-provoking episode that delves deep into the world of digital executive protection. Be sure to tune in to learn about Black Cloak's innovative dashboard and how they involve their clients in the development process.Note: This story contains promotional content. Learn more: https://www.itspmagazine.com/their-infosec-storyGuest:Chris Pierson, Founder and CEO of BlackCloak [@BlackCloakCyber]On Linkedin | https://www.linkedin.com/in/drchristopherpierson/On Twitter | https://twitter.com/drchrispiersonResourcesLearn more about BlackCloak and their offering: https://itspm.ag/itspbcwebFor more RSAC Conference Coverage podcast and video episodes visit: https://www.itspmagazine.com/rsa-conference-usa-2023-rsac-san-francisco-usa-cybersecurity-event-coverageAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story
This Their Story podcast episode features Chris Pierson, the co-founder of BlackCloak as Marco Ciappelli and Sean Martin discuss into the importance of relationships and human empathy in the cybersecurity field, as well as the challenges of cutting through the noise in the industry. Chris Pierson presents the importance of protecting corporate executives and their personal lives, devices, and homes, ultimately ensuring their peace of mind. The trio explore the significance of human relationships in the cybersecurity industry, emphasizing the need for trust and understanding between vendors and clients. They also highlight the importance of human empathy in developing cybersecurity products and services that address the unique needs of different users. They also discuss the challenges of balancing privacy and security, while also considering the unique needs of clients in different sectors.Pierson also unveils BlackCloak's latest innovation – the CISO Protection Dashboard. This powerful tool helps Chief Information Security Officers and their teams gain valuable insights into the digital lives of their executives.Don't miss out on this informative and thought-provoking episode that delves deep into the world of digital executive protection. Be sure to tune in to learn about Black Cloak's innovative dashboard and how they involve their clients in the development process.Note: This story contains promotional content. Learn more: https://www.itspmagazine.com/their-infosec-storyGuest:Chris Pierson, Founder and CEO of BlackCloak [@BlackCloakCyber]On Linkedin | https://www.linkedin.com/in/drchristopherpierson/On Twitter | https://twitter.com/drchrispiersonResourcesLearn more about BlackCloak and their offering: https://itspm.ag/itspbcwebFor more RSAC Conference Coverage podcast and video episodes visit: https://www.itspmagazine.com/rsa-conference-usa-2023-rsac-san-francisco-usa-cybersecurity-event-coverageAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story
Experienced marketers know that creating a new business category requires a very different approach to capturing demand in an existing category. Not only are budgets for your product yet to be created, there's no search data to tap into for quick wins and your sales processes can be lengthy, unpredictable and expensive.Andy Singer, CMO of OpenRaven is deep in the weeds of building a new category in the cloud security space called Data Security Posture Management, helping Chief Information Security Officers understand where their data are located, what types of data are in each location, and critically, how much of each type there is — in order to apply guardrails and reduce risk.There's a ton of valuable insights in this podcast, from how to use social listening to identify adjacent problem spaces, to why LinkedIn is better than Google for category creation, to why account-level signals are more valuable than lead-level signals, to why you need to continue prospecting an account even if after you've started talking to a champion.Andy also has a wealth of experience leading marketing teams and has been through economic downturns before. He shares his advice on bad habits to kick, where to focus your marketing efforts and specific tactics that have served him well during periods like these.I learned a ton from talking to Andy and I know you will enjoy listening to this one! And if you haven't already done so, please subscribe for more great content like this!Podcast contents:* 0:50: Cheesy question to get us started :) What type of marketer are you and what is your marketing superpower?* 1:40: Tell us about OpenRaven and the problem you are solving?* 7:50: As marketer what do you need to do differently when creating a category vs capturing demand. Challenges you run into with forecasting. * 12:20: Big mistakes marketers make is positioning at the vision level. Need for listening to customers. * 14:00: When to use search vs social. How to use social for listening and attach to an adjacent space, adjacent topic. * 18:00: What are some bad habits B2B marketers need to kick in the current economic climate?* 21:30: How ad platforms use advertisers budgets inefficiently / encourage advertisers to broaden their targeting.* 25:00: Benefits of using LinkedIn for ads. Targeting. Creatives. Importance of making your target market small in order* 27:00: Importance of tight targeting and matching the creative to the targeting. * 30:00; How to use Marketing Qualified Accounts in Account Based Marketing. Measure account level score across buyer personas. Use tools like Qualified to figure out which accounts to focus on. Get full access to The Revenue Architect at www.therevenuearchitect.com/subscribe
For 5 years, we have experimented with technology, people, and process controls at RELX, all designed to create an integrated framework for phishing mitigation. I'll speak about technology we've adopted (and that we haven't). I'll speak about failures in industry efforts (e.g., digital signatures). I'll speak about behavioral science and how we have adopted its concepts to drive behavior change. I'll speak about the "human is the weakest link/humans are our strongest link" debate raging in the industry today. I'll tell you where we still struggle as a company and as an industry. This topic will drive conversation, because everyone gets phishing emails; and everyone thinks they have a solution. About the speaker: Aurobindo Sundaram is the Head of Information Assurance & Data Protection at RELX, a global provider of information and analytics for professional and business customers across industries. He works closely with the company's Board of Directors, Group & division CEOs and functional heads, Chief Technology Officers, and Chief Information Security Officers to articulate and implement RELX's global information security program. His remit extends across 30,000+ employees, offices in 40+ countries, and customers in 180+ countries. Aurobindo has graduate degrees in computer science and management and is a CISSP.
2022 was another busy year for federal chief information security officers and cybersecurity teams across government. It started with the clean-up from the Log4j mess, and continues with a flurry of new guidance, binding operational directives, and you-name-it. Federal News Network's Justin Doubleday joined the Federal Drive with more.
Alym Rayani, General Manager for Compliance and Privacy Marketing at Microsoft, joins host Erica Toelle and guest host Hammad Rajjoub on this week's episode of Uncovering Hidden Risks. Alym works closely with engineering leadership to drive product strategy and roadmap while overseeing the product value proposition, marketing efforts, and customer experience. Due to these changes in regulations and increased cybersecurity risk, these areas are converging. Erica, Hammad, and Alym are taking a closer look at a top industry trend: convergence of compliance, data protection, and privacy requirements, and discussing what this means for Chief Information Security Officers. In This Episode You Will Learn: What areas create quick wins for organizations that create momentum for larger initiatives What the answer is for CISOs to stay in compliance with regulations Risks CISOs will face focusing on data protection without considering compliance and privacy Some Questions We Ask: What challenges are CISOs, privacy officers, and CCOs seeing from this convergence? How are data protection and privacy changing the way CISOs approach new problems? What should CISOs look for in a data protection technology solution? Resources: View Alym Rayani on LinkedIn View Hammad Rajjoub on LinkedIn View Erica Toelle on LinkedIn Related Microsoft Podcasts: Listen to: Afternoon Cyber Tea with Ann Johnson Listen to: Security Unlocked Listen to: Security Unlocked: CISO Series with Bret Arsenault Discover and follow other Microsoft podcasts at microsoft.com/podcasts Uncovering Hidden Risks is produced by Microsoft and distributed as part of The CyberWire Network.
How do you become a Cyber Security Expert? Hello and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader. My name is G. Mark Hardy, and today we're going to talk about how to provide advice and mentoring to help people understand how to become a cybersecurity expert. As always, please follow us on LinkedIn, and subscribe to our podcasts. As a security leader, part of your role is to develop your people. That may not be written anywhere in your job description and will probably never be on a formal interview or evaluation, but after years of being entrusted with leadership positions, I have learned what differentiates true leaders from those who just accomplish a great deal is the making of the effort to develop your people. Now, you may have heard the phrase, "take care of your people," but I'll take issue with that. I take care of my dog. I take care of a family member who is sick, injured, or incapacitated. Why? Because they are not capable of performing all of life's requirements on their own. For the most part, your people can do this. If you are constantly doing things for people who could have otherwise done it themselves, you run the risk of creating learned helplessness syndrome. People, and even animals, can become conditioned to not do what they otherwise could do out of a belief that someone else will do it for them. I am NOT going to get political here, so don't worry about that. Rather, I want to point out that effective leaders develop their people so that they may become independent actors and eventually become effective leaders themselves. In my opinion, you should measure your success by the promotion rate of the people entrusted to you, not by your own personal career advancement or financial success. That brings me to the subject of today's podcast -- how do you counsel and mentor others on how to become a cyber security expert? If you are listening to this podcast, there's a very good chance that you already are an expert in our field, but if not, keep listening and imagine that you are mentoring yourself, because these lessons can apply to you without having seek out a mentor. Some people figure it out, and when asked their secret, they're like Bill Murray in the movie Stripes, "We trained ourselves, sir!" But most of the time, career mastery involves learning from a number of others. Today on CISO Tradecraft we are going to analyze the question, " How do you become a Cyber Security Expert?" I'm going to address this topic as if I were addressing someone in search of an answer. Don't tune out early because you feel you've already accomplished this. Keep listening so you can get a sense of what more you could be doing for your direct reports and any proteges you may have. Let's start at the beginning. Imagine being a high school kid with absolutely zero work experience (other than maybe a paper route -- do kids still do that?) You see someone that tells you they have a cool job where they get paid to ethically hack into computers. Later on, you meet a second person that says they make really good money stopping bad actors from breaking into banks. Somehow these ideas stick into your brain, and you start to say to yourself, you know both of those jobs sound pretty cool. You begin to see yourself having a career in Cyber Security. You definitely prefer it to jobs that require a lot of manual labor and start at a low pay. So, you start thinking, "how I can gain the skills necessary to land a dream job in cyber security that also pays well?" At CISO Tradecraft we believe that there are really four building blocks that create subject matter experts in most jobs. The four building blocks are: Getting an education Getting certifications Getting relevant job experience, and Building your personal brand So, let's explore these in detail. Number 1: Getting an education. When most people think about getting an education after high school, they usually talk about getting an associate's or a bachelor's degree. If you were to look at most Chief Information Security Officers, you will see the majority of them earn a bachelor's degree in Computer Science, an Information Systems or Technology degree from a college of business such as a BS in Management of Information Systems (MIS) or Computer Information Systems, or more recently a related discipline such as a degree in Cyber Security. An associate degree is a great start for many, particularly if you don't have the money to pay for a four-year university degree right out of high school. Tuition and debt can rack up pretty quickly, leaving some students deeply in debt, and for some, that huge bill is a non-starter. Fortunately, community colleges offer quality educational opportunities at very competitive rates relative to four-year degree institutions. For example, Baltimore County Community College charges $122 per credit hour for in-county residents. A couple of miles away, Johns Hopkins University charges $2,016 per credit hour. Now, that's a HUGE difference -- over 16 times if you do the math. Now, Hopkins does have some wonderful facilities and excellent faculty, but when it comes to first- and second-year undergraduate studies, is the quality and content of the education THAT different? Well, that's up to you to decide. The important take-away is, no one should decide NOT to pursue a cybersecurity education because of lack of money. You can get started at any age on an associate degree, and that may give you enough to go on to get your first job. However, if you want to continue on to bachelor's degree, don't give up. Later I'll explain about a program that has been around since 2000 and has provided over 3,300 students with scholarships AND job placement after graduation. Back to those going directly for a bachelor's degree. Now, the good news is that your chosen profession is likely to pay quite well, so not only are you likely to be able to pay off the investment you make in your education, but it will return dividends many times that which you paid, for the rest of your career. Think of financing a degree like financing a house. In exchange for your monthly mortgage payment, you get to enjoy a roof over your head and anything else you do with your home. As a cybersecurity professional, in exchange for your monthly student loan payment, you get to earn well-above average incomes relative to your non-security peers, and hopefully enjoy a rewarding career. And, like the right house, the value of your career should increase over time making your investment in your own education one of your best performing assets. Does this mean that you 100% need a bachelor's degree to get a job in cyber? No, it does not. There are plenty of cyber professionals that speak at Blackhat and DEF CON who have never obtained a college degree. However, if ten applicants are going for an extremely competitive job and only seven of the ten applicants have a college degree in IT or Cyber, you shouldn't be surprised when HR shortens the list of qualified applicants to only the top five applicants all having college degrees. It may not be fair, but it's common. Plus, a U.S. Census Bureau study showed that folks who have a bachelor's degree make half a million dollars more over a career than those with an associate degree, and 1.6 times what a high school diploma holder may earn over a lifetime. So, if you want more career opportunities and want to monetize your future, get past that HR checkbox that looks for a 4-year degree. Now, some people (usually those who don't want to do academic work) will say that a formal education isn't necessary for success. After all, Bill Gates and Mark Zuckerberg were college dropouts, and they're both worth billions. True, but that's a false argument that there's a cause-and-effect relationship there. Both were undergraduates at Harvard University when they developed their business ideas. So, if someone wants to assert a degree isn't necessary, counter with you'll agree once they are accepted into Harvard, and they produce a viable business plan as a teenager while attending classes. You see, completing four years of education in a field of study proves a few things. I've interviewed candidates that said they took all of the computer science and cybersecurity courses they wanted and didn't feel a need to "waste time" with fuzzy studies such as history and English composition. Okay, I'll accept that that person had a more focused education. But consider the precedent here. When a course looked uninteresting or difficult, that candidate just passed on the opportunity. In the world of jobs and careers, there are going to be tasks that are uninteresting or difficult, and no one wants to do them, but they have to get done. As a boss, do you want someone who has shown the pe d completed it with an A (or maybe even a B), or do you want someone who passed when the going got a little rough? The business world isn't academia where you're free to pick and choose whether to complete requirements. Stuff has to get done, and someone who has a modified form of learned helplessness will most likely not follow through when that boring task comes due. Remember I said I was going to tell you how to deal with the unfortunate situation where a prospective student doesn't have enough money to pay for college? There are a couple of ways to meet that challenge. It's time to talk to your rich uncle about paying for college. That uncle is Uncle Sam. Uncle Sam can easily finance your college so you can earn your degrees in Cyber Security. However, Uncle Sam will want you to work for the government in return for paying for your education. Two example scholarships that you could look into are the Reserve Officer Training Corps (ROTC) and Scholarship for Service (SFS). ROTC is an officer accession program offered at more than 1,700 colleges and universities across the United States to prepare young adults to become officers in the U.S. Military. For scholarship students, ROTC pays 100% of tuition, fees, books, and a modest stipend for living expenses. A successful degree program can qualify an Army second lieutenant for a Military Occupation Specialty (or MOS) such as a 17A Cyber Operations Officer, a 17B Cyber and Electronic Warfare Officer, or a 17D Cyber Capabilities Development Officer, a great start to a cybersecurity career. For the Navy, a graduating Ensign may commission as an 1810 Cryptologic Warfare Officer, 1820 Information Professional Officer, 1830 Intelligence Officer, or an 1840 Cyber Warfare Engineer. The Navy uses designators rather than MOS's to delineate career patterns. These designators have changed significantly over the last dozen years and may continue to evolve. The Marine Corps has a 1702 cyberspace officer MOS. Note that the Navy and the Marine Corps share a commissioning source in NROTC (Navy ROTC), and unlike the Army that has over 1,000 schools that participate in AROTC and the Air Force that has 1,100 associated universities in 145 detachments, there are only 63 Navy ROTC units or consortiums, although cross-town affiliates include nearly one hundred more colleges and universities. There are a lot of details that pertain to ROTC, and if you're serious about entering upon a military officer career, it's well worth the time and effort to do your research. Not all ROTC students receive a scholarship; some receive military instruction throughout their four years and are offered a commission upon graduation. Three- and four-year scholarship students incur a military obligation at the beginning of sophomore year, two-year scholarship students at the beginning of junior year, and one-year scholarship students at the start of senior year. The military obligation today is eight years, usually the first four of which are on active duty; the rest may be completed in the reserves. If you flunk out of school, you are rewarded with an enlistment rather than a commission. These numbers were different when I was in ROTC, and they may have changed since this podcast was recorded, so make sure you get the latest information to make an informed decision. What if you want to serve your country but you're not inclined to serve in the military, or have some medical condition that may keep you from vigorous physical activity, or had engaged in recreational chemical use or other youthful indiscretions that may have disqualified you from further ROTC consideration? There is another program worth investigating. The National Science Foundation provides educational grants through the Scholarship For Service program or SFS for short. SFS is a government scholarship that will pay up to 3 years of costs for undergraduate and even graduate (MS or PhD) educational degree programs. It's understood that government agencies do not have the flexibility to match private sector salaries in cyber security. However, by offering scholarships up front, qualified professionals may choose to stay in government service; hence SFS continues as a sourcing engine for Federal employees. Unlike ROTC, a participant in SFS will incur an obligation to work in a non-DoD branch of the Federal government for a duration equal to the number of years of scholarship provided. In addition to tuition and education-related fees, undergraduate scholarship recipients receive $25,000 in annual academic stipends, while graduate students receive $34,000 per year. In addition, an additional $6,000 is provided for certifications, and even travel to the SFS Job Fair in Washington DC. That job fair is an interesting affair. I was honored to be the keynote speaker at the SFS job fair back in 2008. I saw entities and agencies of the Federal government that I didn't even know existed, but they all had a cybersecurity requirement, and they all were actively hiring. SFS students qualify for "excepted service" appointments, which means they can be hired through an expedited process. These have been virtual the last couple of years due to COVID-19 but expect in-person events to resume in the future. I wrote a recommendation for a young lady whom I've known since she was born (her mom is a childhood friend of mine), and as an electrical engineering student in her sophomore year, she was selected for a two-year SFS scholarship. A good way to make mom and dad happy knowing they're not going to be working until 80 to pay off their kid's education bills. In exchange for a two-year scholarship, SFS will usually require a student to complete a summer internship between the first and second years of school and then work two years in a government agency after graduation. The biggest benefit to the Scholarship for Service is you can work at a variety of places. So, if your dream is to be a nation state hacker for the NSA, CIA, or the FBI then this offers a great chance of getting in. These three-letter agencies heavily recruit from these programs. As I mentioned, there are a lot of other agencies as well. You could find work at the State Department, Department of Health and Human Services, the Department of Education, the Federal Reserve Board, and I think I remember the United States Agency for International Development (USAID). Federal executive agencies, Congress, interstate agencies, and even state, local, or tribal governments can satisfy the service requirement. So, you can get paid to go to college and have a rewarding job in the government that builds a nice background for your career. How would you put all this together? I spent nine years as an advisor to the National CyberWatch Center. Founded as CyberWatch I in 2005, it started as a Washington D.C. and Mid-Atlantic regional effort to increase the quantity and quality of the information assurance workforce. In 2009, we received a National Science Foundation award and grants that allowed the program to go nationwide. Today, over 370 colleges and universities are in the program. So why the history lesson? What we did was align curriculum between two-year colleges and four-year universities, such that a student who took the designated courses in an associate degree program would have 100% of those credits transfer to the four-year university. That is HUGE. Without getting into the boring details, schools would certify to the Committee on National Security Systems (CNSS) (formerly known as the National Security Telecommunications and Information Systems Security Committee or NSTISSC) national training standard for INFOSEC professionals known as NSTISSI 4011. Now with the help of an SFS scholarship, a student with little to no financial resources can earn an associate degree locally, proceed to a bachelor's degree from a respected university, have a guaranteed job coming out of school, and HAVE NO STUDENT DEBT. Parents, are you listening carefully? Successfully following that advice can save $100,000 and place your child on course for success. OK, so let's fast forward 3 years and say that you are getting closer to finishing a degree in Cyber Security or Computer Science. Is there anything else that you can do while performing a summer internship? That brings us to our second building block. Getting certifications. Number Two: Getting a Certification Earning certifications are another key step to demonstrate that you have technical skills in cyber security. Usually, technology changes rapidly. That means that universities typically don't provide specialized training in Windows 11, Oracle Databases, Amazon Web Services, or the latest programming language. Thus, while you may come out of a computer science degree with knowledge on how to write C++ and JavaScript, there are a lot of skills that you often lack to be quite knowledgeable in the workforce. Additionally, most colleges teach only the free version of software. In class you don't expect to learn how to deploy Antivirus software to thousands of endpoints from a vendor that would be in a Gartner Magic quadrant, yet that is exactly what you might encounter in the workplace. So, let's look at some certifications that can help you establish your expertise as a cyber professional. We usually recommend entry level certifications from CompTIA as a great starting point. CompTIA has some good certifications that can teach you the basics in technology. For example: CompTIA A+ can teach you how to work an IT Help Desk. CompTIA Network+ can teach you about troubleshooting, configuring, and managing networks CompTIA Linux+ can help you learn how to perform as a system administrator supporting Linux Systems CompTIA Server+ ensures you have the skills to work in data centers as well as on-premises or hybrid environments. Remember it's really hard to protect a technology that you know nothing about so these are easy ways to get great experience in a technology. If you want a certification such as these from CompTIA, we recommend going to a bookstore such as Amazon, buying the official study guidebook, and setting a goal to read every day. Once you have read the official study guide go and buy a set of practice exam questions from a site like Whiz Labs or Udemy. Note this usually retails for about $10. So far this represents a total cost of about $50 ($40 dollars to buy a book and $10 to buy practice exams.) For that small investment, you can gain the knowledge base to pass a certification. You just need to pay for the exam and meet eligibility requirements. Now after you get a good grasp of important technologies such as Servers, Networks, and Operating Systems, we recommend adding several types of certifications to your resume. The first is a certification in the Cloud. One notable example of that is AWS Certified Solutions Architect - Associate. Note you can find solution architect certifications from Azure and GCP, but AWS is the most popular cloud provider, so we recommend starting there. Learning how the cloud works is extremely important. Chances are you will be asked to defend it and you need to understand what an EC-2 server is, types of storage to make backups, and how to provide proper access control. So, spend the time and get certified. One course author who provides a great course is Adrian Cantrill. You can find his course link for AWS Solutions Architect in our show notes or by visiting learn.cantrill.io. The course costs $40 and has some of the best diagrams you will ever see in IT. Once again go through a course like this and supplement with practice exam questions before going for the official certification. The last type of certifications we will mention is an entry cyber security certification. We usually see college students pick up a Security+ or Certified Ethical Hacker as a foundation to establish their knowledge in cyber security. Now the one thing that you really gain out of Security+ is a list of technical terms and concepts in cyber security. You need to be able to understand the difference between Access Control, Authentication, and Authorization if you are to consult with a developer on what is needed before allowing access to a site. These types of certifications will help you to speak fluently as a cyber professional. That means you get more job offers, better opportunities, and interesting work. It's next to impossible to establish yourself as a cyber expert if you don't even understand the technical jargon correctly. Number Three: Getting Relevant Job Experience OK, so you have a college degree and an IT certification or two. What's next? At this point in time, you are eligible for most entry level jobs. So, let's find interesting work in Cyber Security. If you are looking for jobs in cyber security, there are two places we recommend. The first is LinkedIn. Almost all companies post there and there's a wealth of opportunities. Build out an interesting profile and look professional. Then apply, apply, apply. It will take a while to find the role you want. Also post that you are looking for opportunities and need help finding your first role. You will be surprised at how helpful the cyber community is. Here's a pro tip: add some hashtags with your post to increase its visibility. Another interesting place to consider is your local government. The government spends a lot of time investing in their employees. So go there, work a few years, and gain valuable experience. You can start by going to your local government webpage such as USAJobs.Gov and search for the Career Codes that map to cyber security. For example, search using the keyword “2210” to find the job family of Information Technology Management where most cyber security opportunities can be found. If you find that you get one of these government jobs, be sure to look into college repayment programs. Most government jobs will help you pay off student loans, finance master's degrees in Cyber Security, or pay for your certifications. It's a great win-win to learn the trade. Once you get into an organization and begin working your first job out of college, you then generally get one big opportunity to set the direction of your career. What type of cyber professional do you want to be? Usually, we see most Cyber Careerists fall into one of three basic paths. Offensive Security Defensive Security Security Auditing The reason these three are the most common is they have the largest amount of job opportunities. So, from a pure numbers game it's likely where you are to spend the bulk of your career. Although we do recommend cross training. Mike Miller who is the vCISO for Appalachia Technologies put out a great LinkedIn post on this where he goes into more detail. Note we have a link to it in our show notes. Here's some of our own thoughts on these three common cyber pathways: Offensive Security is for those that like to find vulnerabilities in things before the bad guys do. It's fun to learn how to hack and take jobs in penetration testing and the red team. Usually if you choose this career, you will spend time learning offensive tools like Nmap, Kali Linux, Metasploit, Burp Suite, and others. You need to know how technology works, common flaws such as the OWASP Top Ten web application security risks, and how to find those vulnerabilities in technology. Once you do, there's a lot of interesting work awaiting. Note if these roles interest you then try to obtain the Offensive Security Certified Professional (OSCP) certification to gain relevant skill sets that you can use at work. Defensive Security is for the protectors. These are the people who work in the Security Operations Center (SOC) or Incident Response Teams. They look for anomalies, intrusions, and signals across the whole IT network. If something is wrong, they need to find it and identify how to fix it. Similar to Offensive Security professionals they need to understand technology, but they differ in the types of tools they need to look at. You can find a defender looking at logs. Logs can come from an Intrusion Detection System, a Firewall, a SIEM, Antivirus, Data Loss Prevention Tools, an EDR, and many other sources. Defenders will become an expert in one of these tools that needs to be constantly monitored. Note if you are interested in these types of opportunities look for cyber certifications such as the MITRE ATT&CK Defender (MAD) or SANS GIAC Certified Incident Handler GCIH to gain relevant expertise. Security Auditing is a third common discipline. Usually reporting to the Governance, Risk, and Compliance organization, this role is usually the least technical. This discipline is about understanding a relevant standard or regulation and making sure the organization follows the intent of the standard/regulation. You will spend a lot of time learning the standards, policies, and best practices of an industry. You will perform risk assessments and third-party reviews to understand how we certify as an industry. If you would like to learn about the information systems auditing process, governance and management of IT systems, business processes such as Disaster Recovery and Business Continuity Management, and compliance activities, then we recommend obtaining the Certified Information Systems Auditor (CISA) certification from ISACA. Ok, so you have a degree, you have certifications, you are in a promising job role, WHAT's Next? If you want to really become an expert, we recommend you focus on… Number Four: Building your personal brand. Essentially find a way to give back to the industry by blogging, writing open-source software, creating a podcast, building cybersecurity tutorials, creating YouTube videos, or presenting a lecture topic to your local OWASP chapter on cyber security. Every time you do you will get smarter on a subject. Imagine spending three hours a week reading books in cyber security. If you did that for ten years, think of how many books you could read and how much smarter you would become. Now as you share that knowledge with others two things happen: People begin to recognize you as an industry expert. You will get invited to opportunities to connect with other smart people which allows you to become even smarter. If you spend your time listening to smart people and reading their works, it rubs off. You will absorb knowledge from them that will spark new ideas and increase your understanding The second thing is when you present your ideas to others you often get feedback. Sometimes you learn that you are actually misunderstanding something. Other times you get different viewpoints. Yes, this works in the financial sector, but it doesn't work in the government sector or in the university setting. This feedback also helps you become smarter as you understand more angles of approaching a problem. Trust us, the greatest minds in cyber spend a lot of time researching, learning, and teaching others. They all know G Mark's law, which I wrote nearly twenty years ago: "Half of what you know about security will be obsolete in eighteen months." OK so let's recap a bit. If you want to become an expert in something, then you should do four things. 1) Get a college education so that you have the greatest amount of opportunities open to you, 2) get certifications to build up your technical knowledge base, 3) find relevant job experiences that allow you to grow your skill sets, and 4) finally share what you know and build your personal brand. All of these make you smarter and will help you become a cyber expert. Thanks again for listening to us at CISO Tradecraft. We wish you the best on your journey as you Learn to Earn. If you enjoyed the show, tell one person about it this week. It could be your child, a friend looking to get into cyber security, or even a coworker. We would love to help more people and we need your help to reach a larger audience. This is your host, G. Mark Hardy, and thanks again for listening and stay safe out there. References: https://www.todaysmilitary.com/education-training/rotc-programs www.sfs.opm.gov https://www.comptia.org/home https://www.whizlabs.com/ https://www.udemy.com/ https://learn.cantrill.io/p/aws-certified-solutions-architect-associate-saa-c03 https://www.linkedin.com/feed/update/urn:li:activity:6965305453987737600/ https://www.offensive-security.com/pwk-oscp/ https://mitre-engenuity.org/cybersecurity/mad/ https://www.giac.org/certifications/certified-incident-handler-gcih/ https://www.ccbcmd.edu/Costs-and-Paying-for-College/Tuition-and-fees/In-County-tuition-and-fees.aspx https://www.educationcorner.com/value-of-a-college-degree.html https://www.collegexpress.com/lists/list/us-colleges-with-army-rotc/2580/ https://www.af.mil/About-Us/Fact-Sheets/Display/Article/104478/air-force-reserve-officer-training-corps/ https://www.netc.navy.mil/Commands/Naval-Service-Training-Command/NROTC https://armypubs.army.mil/pub/eforms/DR_a/NOCASE-DA_FORM_597-3-000-EFILE-2.pdf https://niccs.cisa.gov/sites/default/files/documents/SFS%20Flyer%20FINAL.pdf https://www.nationalcyberwatch.org/
We know chief information security officers have job in the White House's “zero trust” cybersecurity strategy. But what about chief data officers? Turns out they're more involved than you might think. For more, Federal News Network's Justin Doubleday.
Hello and welcome to Season 4 Episode 2 of the NextExec Podcast. In this episode, Ashley speaks with Joyce Brocaglia the founder of the Executive Women's Forum (EWF) about her vision some 20 years ago and what the EWF is today. They discuss the sisterhood this platform has created, how the EWF has impacted growth in the lives of conference attendees and their corporate benefactors as well as the trajectory created by the various programs that have been instituted over the years. Please enjoy.Guest - Joyce BrocagliaJoyce Brocaglia is a visionary entrepreneur who created both the first executive search firm specializing in cybersecurity and a ground-breaking membership organization that builds women leaders in cybersecurity, risk, and privacy.Joyce founded Alta Associates in 1986 and today Alta is the most prominent executive search firm specializing in Cybersecurity, IT Risk Management and Data Privacy. Alta, ranked one of the top 50 executive search firms in the US has an unprecedented track record of placing Chief Information Security Officer's and building world class organizations.In March of 2022, Alta was acquired by Diversified Search Group, the largest women-led, women-founded executive search firm. Joyce is the Global Cybersecurity Practice Leader. This joining of forces has expanded Alta's search capabilities throughout the C-Suite and into the boardroom. Joyce is a business advisor to her clients who has gained the trust and respect of the industry's most influential executives by accomplishing their strategic and diverse hiring goals. For over three decades Joyce has helped to define, elevate, and integrate the role of cybersecurity leaders and professionals in firms ranging from private equity, venture-backed growth companies to the world's largest and most complex global corporations. Joyce is the leading authority on the recruitment of Chief Information Security Officers. She is a career advisor to executive thought leaders, sought after for her deep knowledge of the industry, market conditions, and business intelligence.Joyce is a fierce advocate for women and has dedicated her career to advancing women leaders in cybersecurity, risk and privacy. In 2002, Joyce founded the Executive Women's Forum ( EWF). Today the EWF is the largest member organization serving over 15,000 emerging leaders as well as the most prominent and influential female executives in their field. With over 80 Corporate Benefactors globally, the EWF is turbocharging the advancement of their DE&I and ESG goals. The EWF Leadership Academy equips women with the self-awareness, resiliency, and skills necessary to compete for leadership roles. The EWF Cybersecurity Women on Capitol Hill Symposium strengthens public-private relationships. The Carnegie Mellon University, Joyce Brocaglia Endowed Fellowship Fund provides scholarships to underrepresented students.Host - Ashley BaichAshley Baich is a Cybersecurity Senior Analyst at Accenture on the Cyber Investigation, Forensic, and Response team (CIFR). with experience in many disciplines of cybersecurity. Her analytical background in marketing, communications, technology, and business development inform her mindful but competitive approach.Ashley is fueled by her desire to bridge the communication between IT Professionals and Business Executives. She considers herself a ‘forever student', eager to continue to build her academic foundation to be innovative and forward thinking in the world of cybersecurity. She is in the process of earning her MBA in information security and is an active participant in the EWF, currently as a co-lead for the Rising Leader Forum. Support the show (https://www.ewf-usa.com/)
We speak with authors Dan Lohrmann and Shamane Tan following the recent release of Cyber Mayday and the Day After: A Leader's Guide to Preparing, Managing, and Recovering from Inevitable Business Disruptions. Now available on Amazon - https://www.amazon.com/Cyber-Mayday-Day-After-Disruptions/dp/1119835305 From the Inside Flap Digital transformation and cyber insecurity converged spectacularly in recent years, leading to some of the highest profile network security failures in modern history. From the SolarWinds hack to the Colonial Pipeline ransomware event, these incidents dramatically highlighted the need for impactful and effective leadership through a crisis. In Cyber Mayday and the Day After, a team of veteran cybersecurity leaders delivers an incisive collection of stories, strategies, tactics, lessons, and outlooks from some of the top C-executive leaders around the world. Packed with insights from former FBI agents, NASA professionals, government Chief Information Security Officers, and high-profile executives, this book offers the practical examples and workable solutions that leaders need to succeed in the 21st century. Cyber Mayday and the Day After is a guide to the art of communication with senior stakeholders and how to effect cultural change within organizations to adapt to a new reality that includes ransomware, online deception, and nation-state hackers. You'll learn what you should know before a critical event occurs and what other executives wish they'd known before cyber crisis struck their organizations. You'll also discover how executive-level responses can make or break customer trust in your company. Finally, you'll explore how to utilize communication, coordination, and teamwork, as well as partnerships with vendors, law enforcement, and others, to tailor your crisis response for maximum damage mitigation. Cyber Mayday and the Day After is an eye-opening, need-to-read experience that's ideal for current or aspiring executives who seek to understand high-level leadership through a different lens. It's also the ideal resource for managers and other leaders who want to learn invaluable lessons in communication and leadership from veteran industry professionals. For a copy of Shamane Tan's first book - Cyber Risk Leaders - visit https://mysecuritymarketplace.com/books/cyber-risk-leaders-global-c-suite-insights-leadership-and-influence-in-the-cyber-age-by-shamane-tan/#cyberriskmeetup #cyberriskleaders #cybersecurity
In this SecureWorld Sessions podcast bonus episode, three Chief Information Security Officers play a game show around modern cyber resilience. What is cyber resiliency, how do you align it with business objectives, and is it possible a unicorn won this battle of the CISOs? Contestants include Ricardo Lafosse, CISO, The Kraft Heinz Company; Michael Boucher, Americas CISO, JLL; and Glenn Kapetansky, Interim CISO, University of Chicago Medical Center, and CSO, Trexin Group. Thank you to Trend Micro, a global leader in cloud and XDR security, for being our premier podcast partner and providing new research for this episode. Resource Links: • Trend Micro report, "Attacks from All Angles: 2021 Midyear Cybersecurity Report": https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/attacks-from-all-angles-2021-midyear-security-roundup • Ricardo Lafosse on LinkedIn: https://www.linkedin.com/in/ricardolafosse • Michael Boucher on LinkedIn: https://www.linkedin.com/in/michael-boucher-55771a • Glenn Kapetansky on LinkedIn: https://www.linkedin.com/in/kapetansky • SecureWorld conferences: https://www.secureworldexpo.com/events The SecureWorld Sessions podcast gives you access to people and ideas that impact your cybersecurity career and help you secure your organization.
Em uma conversa franca sobre os caminhos da segurança da informação, Demétrio Carrion fala sobre a velocidade das transformações enfrentadas pelos profissionais da área nos últimos anos, a necessidade de investimentos compatíveis com as demandas e também sobre o futuro da segurança digital e seus profissionais.
The top concerns haunting Chief Information Security Officers
Sam Curry, Chief Security Officer at Cybereason enlightens us on how to keep your organization security aware especially while remote, dropping some gems for Chief Information Security Officers and why security breaches are on the rise in 2021.
Our guest is Rich Baich, one of the foremost Chief Information Security Officers in industry. Rob and Rich talk about the nature of today's major cyber threats, as exemplified by the highly significant SolarWinds hack in the US in 2020. Rich also explores the challenge of securing global supply chains and how the time has come for a bold solution.Rich Baich is the Chief Information Security Officer of AIG, one of the world's leading insurers. He recently co-authored a report for the US President's National Infrastructure Advisory Council.See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
Our guest is Rich Baich, one of the foremost Chief Information Security Officers in industry. Rob and Rich talk about the nature of today's major cyber threats, as exemplified by the highly significant SolarWinds hack in the US in 2020.See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
Dr. Eric Cole is our guest for episode 14 of Gula Tech Cyber Fiction. Eric and Ron speak about why we need certifications for Chief Information Security Officers, marketing terms like "zero trust" and "artificial intelligence", cybersecurity risk frameworks, Data Care and a good bit of hacker science fiction. Dr. Cole started his career doing cybersecurity at the CIA, has a PHD in computer science, has authored 8 computer security books including Cyber Crisis which will be available soon and runs Secure Anchor consulting which provides cybersecurity expert witness services and security consulting.
We're excited to announce De:Coded Cyber, our new podcast covering security for large businesses, budding CISOs and even recognising that Chief Information Security Officers are real people too, with families and personal lives.(Full Show Notes available on our website.)
Patrick Gaul, Executive Director of the NTSC joined me to give us all an update on the work the NTSC has done over the past year to get the voice of the CISO heard on Capitol Hill. We discuss the latest bill on Data breach notification, national privacy laws, what the CISO on the board are worried about and the priorities of the NTSC after the dust settles in a few weeks after the election. NTSC Event links: This is the link to the Felker/Allison Fireside Chat registration page on the NTSC website. https://www.ntsc.org/events/virtual-fireside-chat-with-john-felker-and-marene-allison-solving-the-nation%E2%80%99s-cybersecurity-talent-shortage-with-cyber-scholarship-for-service-programs.html And this is the link to the actual registration page. https://us02web.zoom.us/webinar/register/WN_FG7epxcyQhCKKdos-qKu8Q Pat's Bio: From an early age, I have been driven by an innate sense of curiosity and a passion for exploration, which helps to explain a career that spans multiple industries across the globe. In my current role, my mission is to make the NTSC a preeminent force in respect to driving the national dialogue on technology security within the United States. We have amassed a prominent group of Chief Information Security Officers from across America who make up the Board of Directors. Through dialogue, education, and government relations, we unite both public and private sector stakeholders around policies that improve national cybersecurity standards and awareness. Linkedin Profile: https://www.linkedin.com/in/patrickgaul/ **** James Azar Host of CyberHub Podcast James on Twitter: https://twitter.com/james_azar1 James on Linkedin: https://www.linkedin.com/in/james-azar-a1655316/ ****** Sign up for our newsletter with the best of CyberHub Podcast delivered to your inbox once a month: http://bit.ly/cyberhubengage-newsletter ****** Website: https://www.cyberhubpodcast.com Youtube: https://www.youtube.com/channel/UCPoU8iZfKFIsJ1gk0UrvGFw Facebook: https://www.facebook.com/CyberHubpodcast/ Linkedin: https://www.linkedin.com/company/cyberhubpodcast/ Twitter: https://twitter.com/cyberhubpodcast Instagram: https://www.instagram.com/cyberhubpodcast Listen Here: https://linktr.ee/CISOtalk
This week on How I Launched This: A SaaS Story, Stephanie Wong (@swongful) is pleased to welcome Lena Smart from MongoDB. MongoDB is a force in the database industry, offering indexing and storage capabilities for any document.We start the show with a thorough discussion of Lena's background and her journey to becoming one of the top Chief Information Security Officers in the business. With the vital importance of security online and the ever-changing laws and regulations proliferating the space, Lena tells us that security should be part of a business's culture. She offers tips for achieving this ideal, including instituting a policy of mandatory security awareness training and supporting your strongest link - your employees.The episode continues as Lena tells the story of MongoDB's founding. With the growth of mobile and cloud technologies, it became clear that the world needed a better database. MongoDB rose to the challenge by providing an intuitive, easy, secure solution for companies that is scalable and customizable. We learn about MongoDB Atlas, a global database platform with out-of-the-box layered security measures and additional available add-ons like Atlas Data Lake. Lena explains this layered approach to MongoDB security, comparing it to the physical securities a brick-and-mortar business or home might employ. We learn about MongoDB's field level encryption specifically and how it's changing database security.To wrap up the show, Lena talks about the hiring process for security personnel and how a few good team members can help influence and mentor others. She stresses the security culture mindset, emphasizing cooperation between departments. We talk about the partnership between Google and MongoDB and how these two companies have learned from each other. Lena leaves us with a powerful message to be yourself and continue to grow and learn.Episode Links:MongoDBMongoDB AtlasMongoDB RealmMongoDB Atlas Data Lake
The topic for today is the 6 skills every successful CISO must have, and 4 mistakes to avoid. Skills such as, communication and presentation skills, understanding office politics, understand the business and have an understanding of finances... listen in to today's episode to get the full list.
Brakesec Podcast is now on Pandora! Find us here: https://pandora.app.link/p9AvwdTpT3 Book club Book club is starting up again with Hands-On AWS penetration testing with Kali Linux from Gilbert and Caudill. You read and get together to discuss or demo every Monday. Get the book, start reading and meet us for the kick off Monday the 24 at 10pm eastern. The book club meets virtually on zoom, and organizes on slack..get invited like this.” Book: https://smile.amazon.com/Hands-Penetration-Testing-Kali-Linux/dp/1789136725 NolaCon Training: https://nolacon.com/training/2020/security-detect-and-defense-ttx Roberto Rodriguez Bio @Cyb3rWard0g on Twitter Threat Intel vs. Threat Hunting = what’s the difference? What datasets are you using? Did you start with any particular dataset, or created your own? Technique development - what skills are needed? C2 setup Detection mechanisms Honeypots How can people get involved? Blacksmith - create ‘mordor’ environment to push scripts to setup honeypot/nets https://Threathunterplaybook.com https://github.com/hunters-forge/ThreatHunter-Playbook https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/lateral_movement/WIN-190815181010.html https://medium.com/threat-hunters-forge/threat-hunter-playbook-mordor-datasets-binderhub-open-infrastructure-for-open-8c8aee3d8b4 https://medium.com/threat-hunters-forge/writing-an-interactive-book-over-the-threat-hunter-playbook-with-the-help-of-the-jupyter-book-3ff37a3123c7 https://www.exploit-db.com/exploits/47995 - Sudo buffer overflow Mordor: The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption. YAML Example: https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/WIN-190810201010.yaml Notebook Example: https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/lateral_movement/WIN-190810201010.html Jupyter notebook - Definition: https://jupyter-notebook-beginner-guide.readthedocs.io/en/latest/what_is_jupyter.html Lateral Movement - WMI - IMAGE Below SIGMA? What is a Notebook? Think of a notebook as a document that you can access via a web interface that allows you to save input (i.e live code) and output (i.e code execution results / evaluated code output) of interactive sessions as well as important notes needed to explain the methodology and steps taken to perform specific tasks (i.e data analysis). https://medium.com/threat-hunters-forge/threat-hunter-playbook-mordor-datasets-binderhub-open-infrastructure-for-open-8c8aee3d8b4 Have a goal for expanding to other parts of ATT&CK? Threat Hunter Playbook - Goals Expedite the development of techniques an hypothesis for hunting campaigns. Help Threat Hunters understand patterns of behavior observed during post-exploitation. Reduce the number of false positives while hunting by providing more context around suspicious events. Share real-time analytics validation examples through cloud computing environments for free. Distribute Threat Hunting concepts and processes around the world for free. Map pre-recorded datasets to adversarial techniques. Accelerate infosec learning through open source resources. Sub-techniques: https://medium.com/mitre-attack/attack-sub-techniques-preview-b79ff0ba669a Slack Channel: https://launchpass.com/threathunting Twitter; https://twitter.com/mattifestation https://twitter.com/tifkin_ https://twitter.com/choldgraf https://twitter.com/Cyb3rPandaH on Brakeing Down Security Podcast on #Pandora- https://www.pandora.com/podcast/brakeing-down-security-podcast/PC:27866 Marcus Carey https://twitter.com/marcusjcarey Prolific Author, Defender, Enterprise Architect at ReliaQuest https://twitter.com/egyp7 https://www.darkreading.com/vulnerabilities---threats/reliaquest-acquires-threatcare/d/d-id/1335950 “GreyMatter integrates security data from security incident and event manager (SIEM), endpoint detection and response (EDR), firewalls, threat intelligence feeds, and other security tools, and includes analysis functions and automation. Threatcare's technology — which will become a new feature on the platform — simulates how a specific threat or attack could target an organization's network in order to determine whether its security tools and settings are or are not actually working to thwart the threats.” Security model - everyone’s is diff How do you work with your threat model? A proper threat model Attack Simulation - How is this different from doing a typical Incident Response tabletop? Threat modeling systems? How is this different than a pentest? Is this automated red teaming? How effective can automated testing be? Is this like some kind of constant scanning system? How does this work with threat intel feeds? Can it simulate ransomware, or any attacks? Hedgehog principles A lot of things crappily, and nothing good Mr. Boettcher: “Why suck at everything…” Atomic Red Team - https://github.com/redcanaryco/atomic-red-team ATT&CK Matrix - https://attack.mitre.org/matrices/enterprise/ Tribe of Hackers https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1793464189 - Red Book The Tribe of Hackers team is back with a new guide packed with insights from dozens of the world’s leading Red Team security specialists. With their deep knowledge of system vulnerabilities and innovative solutions for correcting security flaws, Red Team hackers are in high demand. Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity takes the valuable lessons and popular interview format from the original Tribe of Hackers and dives deeper into the world of Red Team security with expert perspectives on issues like penetration testing and ethical hacking. This unique guide includes inspiring interviews from influential security specialists, including David Kennedy, Rob Fuller, Jayson E. Street, and Georgia Weidman, who share their real-world learnings on everything from Red Team tools and tactics to careers and communication, presentation strategies, legal concerns, and more Learn what it takes to secure a Red Team job and to stand out from other candidates Discover how to hone your hacking skills while staying on the right side of the law Get tips for collaborating on documentation and reporting Explore ways to garner support from leadership on your security proposals Identify the most important control to prevent compromising your network Uncover the latest tools for Red Team offensive security https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1119643376 - Yellow Book Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World is your guide to joining the ranks of hundreds of thousands of cybersecurity professionals around the world. Whether you’re just joining the industry, climbing the corporate ladder, or considering consulting, Tribe of Hackers offers the practical know-how, industry perspectives, and technical insight you need to succeed in the rapidly growing information security market. This unique guide includes inspiring interviews from 70 security experts, including Lesley Carhart, Ming Chow, Bruce Potter, Robert M. Lee, and Jayson E. Street. Get the scoop on the biggest cybersecurity myths and misconceptions about security Learn what qualities and credentials you need to advance in the cybersecurity field Uncover which life hacks are worth your while Understand how social media and the Internet of Things has changed cybersecurity Discover what it takes to make the move from the corporate world to your own cybersecurity venture Find your favorite hackers online and continue the conversation https://smile.amazon.com/Tribe-Hackers-Security-Leaders-Cybersecurity/dp/1119643775 - Green Book (Next out!) Information security is becoming more important and more valuable all the time. Security breaches can be costly, even shutting businesses and governments down, so security leadership is a high-stakes game. Leading teams of hackers is not always easy, but the future of your organization may depend on it. In this book, the world’s top security experts answer the questions that Chief Information Security Officers and other security leaders are asking, including: What’s the most important decision you’ve made or action you’ve taken to enable a business risk? How do you lead your team to execute and get results? Do you have a workforce philosophy or unique approach to talent acquisition? Have you created a cohesive strategy for your information security program or business unit? https://smile.amazon.com/Tribe-Hackers-Blue-Team-Cybersecurity/dp/1119643414 - Blue Book (OUT SOON!) Tribe of Hackers Blue Team goes beyond the bestselling, original Tribe of Hackers book and delves into detail on defensive and preventative techniques. Learn how to grapple with the issues that hands-on security experts and security managers are sure to build into their blue team exercises. Discover what it takes to get started building blue team skills Learn how you can defend against physical and technical penetration testing Understand the techniques that advanced red teamers use against high-value targets Identify the most important tools to master as a blue teamer Explore ways to harden systems against red team attacks Stand out from the competition as you work to advance your cybersecurity career Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
YL Ventures funds and supports brilliant Israeli tech entrepreneurs from seed to lead. Based in Silicon Valley and Tel Aviv, YL Ventures manages $260 million focused on deep-technology sectors and specializes in cybersecurity. The company accelerates the evolution of portfolio companies via strategic advice and U.S.-based operational execution, leveraging a powerful network of Chief Information Security Officers and global industry leaders. The firm's track record includes successful, high-profile portfolio company acquisitions by major corporations, including Palo Alto Networks, Microsoft, CA, and Proofpoint. I chat with Roger Hales, who has become the CISO-in Residence at YL Ventures. The former Chief Information Security Officer of Informatica - a $1+ billion annual revenue software development company talks about privacy and data protection risks to a company? We talk about the value of attending events such as RSAC and CyberTech Tel Aviv. We also discuss the latest big tech and privacy trends that are dominating conversations in conferences around the world. Roger's legacy in technology and information security extends across multiple verticals, including financial services, healthcare, eCommerce, biotech, and education, so for these reasons alone, it's a pleasure to get him back on the podcast.
Brakeing Down Security Podcast on #Pandora- https://www.pandora.com/podcast/brakeing-down-security-podcast/PC:27866 Marcus Carey https://twitter.com/marcusjcarey Prolific Author, Defender, Enterprise Architect at ReliaQuest https://twitter.com/egyp7 https://www.darkreading.com/vulnerabilities---threats/reliaquest-acquires-threatcare/d/d-id/1335950 “GreyMatter integrates security data from security incident and event manager (SIEM), endpoint detection and response (EDR), firewalls, threat intelligence feeds, and other security tools, and includes analysis functions and automation. Threatcare's technology — which will become a new feature on the platform — simulates how a specific threat or attack could target an organization's network in order to determine whether its security tools and settings are or are not actually working to thwart the threats.” Security model - everyone’s is diff How do you work with your threat model? A proper threat model Attack Simulation - How is this different from doing a typical Incident Response tabletop? Threat modeling systems? How is this different than a pentest? Is this automated red teaming? How effective can automated testing be? Is this like some kind of constant scanning system? How does this work with threat intel feeds? Can it simulate ransomware, or any attacks? Hedgehog principles A lot of things crappily, and nothing good Mr. Boettcher: “Why suck at everything…” Atomic Red Team - https://github.com/redcanaryco/atomic-red-team ATT&CK Matrix - https://attack.mitre.org/matrices/enterprise/ Tribe of Hackers https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1793464189 - Red Book The Tribe of Hackers team is back with a new guide packed with insights from dozens of the world’s leading Red Team security specialists. With their deep knowledge of system vulnerabilities and innovative solutions for correcting security flaws, Red Team hackers are in high demand. Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity takes the valuable lessons and popular interview format from the original Tribe of Hackers and dives deeper into the world of Red Team security with expert perspectives on issues like penetration testing and ethical hacking. This unique guide includes inspiring interviews from influential security specialists, including David Kennedy, Rob Fuller, Jayson E. Street, and Georgia Weidman, who share their real-world learnings on everything from Red Team tools and tactics to careers and communication, presentation strategies, legal concerns, and more Learn what it takes to secure a Red Team job and to stand out from other candidates Discover how to hone your hacking skills while staying on the right side of the law Get tips for collaborating on documentation and reporting Explore ways to garner support from leadership on your security proposals Identify the most important control to prevent compromising your network Uncover the latest tools for Red Team offensive security https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1119643376 - Yellow Book Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World is your guide to joining the ranks of hundreds of thousands of cybersecurity professionals around the world. Whether you’re just joining the industry, climbing the corporate ladder, or considering consulting, Tribe of Hackers offers the practical know-how, industry perspectives, and technical insight you need to succeed in the rapidly growing information security market. This unique guide includes inspiring interviews from 70 security experts, including Lesley Carhart, Ming Chow, Bruce Potter, Robert M. Lee, and Jayson E. Street. Get the scoop on the biggest cybersecurity myths and misconceptions about security Learn what qualities and credentials you need to advance in the cybersecurity field Uncover which life hacks are worth your while Understand how social media and the Internet of Things has changed cybersecurity Discover what it takes to make the move from the corporate world to your own cybersecurity venture Find your favorite hackers online and continue the conversation https://smile.amazon.com/Tribe-Hackers-Security-Leaders-Cybersecurity/dp/1119643775 - Green Book (Next out!) Information security is becoming more important and more valuable all the time. Security breaches can be costly, even shutting businesses and governments down, so security leadership is a high-stakes game. Leading teams of hackers is not always easy, but the future of your organization may depend on it. In this book, the world’s top security experts answer the questions that Chief Information Security Officers and other security leaders are asking, including: What’s the most important decision you’ve made or action you’ve taken to enable a business risk? How do you lead your team to execute and get results? Do you have a workforce philosophy or unique approach to talent acquisition? Have you created a cohesive strategy for your information security program or business unit? https://smile.amazon.com/Tribe-Hackers-Blue-Team-Cybersecurity/dp/1119643414 - Blue Book (OUT SOON!) Tribe of Hackers Blue Team goes beyond the bestselling, original Tribe of Hackers book and delves into detail on defensive and preventative techniques. Learn how to grapple with the issues that hands-on security experts and security managers are sure to build into their blue team exercises. Discover what it takes to get started building blue team skills Learn how you can defend against physical and technical penetration testing Understand the techniques that advanced red teamers use against high-value targets Identify the most important tools to master as a blue teamer Explore ways to harden systems against red team attacks Stand out from the competition as you work to advance your cybersecurity career Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Marcus Carey https://twitter.com/marcusjcarey Prolific Author, Defender, Enterprise Architect at ReliaQuest https://twitter.com/egyp7 https://www.darkreading.com/vulnerabilities---threats/reliaquest-acquires-threatcare/d/d-id/1335950 “GreyMatter integrates security data from security incident and event manager (SIEM), endpoint detection and response (EDR), firewalls, threat intelligence feeds, and other security tools, and includes analysis functions and automation. Threatcare's technology — which will become a new feature on the platform — simulates how a specific threat or attack could target an organization's network in order to determine whether its security tools and settings are or are not actually working to thwart the threats.” Security model - everyone’s is diff How do you work with your threat model? A proper threat model Attack Simulation - How is this different from doing a typical Incident Response tabletop? Threat modeling systems? How is this different than a pentest? Is this automated red teaming? How effective can automated testing be? Is this like some kind of constant scanning system? How does this work with threat intel feeds? Can it simulate ransomware, or any attacks? Hedgehog principles A lot of things crappily, and nothing good Mr. Boettcher: “Why suck at everything…” Atomic Red Team - https://github.com/redcanaryco/atomic-red-team ATT&CK Matrix - https://attack.mitre.org/matrices/enterprise/ Tribe of Hackers https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1793464189 - Red Book The Tribe of Hackers team is back with a new guide packed with insights from dozens of the world’s leading Red Team security specialists. With their deep knowledge of system vulnerabilities and innovative solutions for correcting security flaws, Red Team hackers are in high demand. Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity takes the valuable lessons and popular interview format from the original Tribe of Hackers and dives deeper into the world of Red Team security with expert perspectives on issues like penetration testing and ethical hacking. This unique guide includes inspiring interviews from influential security specialists, including David Kennedy, Rob Fuller, Jayson E. Street, and Georgia Weidman, who share their real-world learnings on everything from Red Team tools and tactics to careers and communication, presentation strategies, legal concerns, and more Learn what it takes to secure a Red Team job and to stand out from other candidates Discover how to hone your hacking skills while staying on the right side of the law Get tips for collaborating on documentation and reporting Explore ways to garner support from leadership on your security proposals Identify the most important control to prevent compromising your network Uncover the latest tools for Red Team offensive security https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1119643376 - Yellow Book Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World is your guide to joining the ranks of hundreds of thousands of cybersecurity professionals around the world. Whether you’re just joining the industry, climbing the corporate ladder, or considering consulting, Tribe of Hackers offers the practical know-how, industry perspectives, and technical insight you need to succeed in the rapidly growing information security market. This unique guide includes inspiring interviews from 70 security experts, including Lesley Carhart, Ming Chow, Bruce Potter, Robert M. Lee, and Jayson E. Street. Get the scoop on the biggest cybersecurity myths and misconceptions about security Learn what qualities and credentials you need to advance in the cybersecurity field Uncover which life hacks are worth your while Understand how social media and the Internet of Things has changed cybersecurity Discover what it takes to make the move from the corporate world to your own cybersecurity venture Find your favorite hackers online and continue the conversation https://smile.amazon.com/Tribe-Hackers-Security-Leaders-Cybersecurity/dp/1119643775 - Green Book (Next out!) Information security is becoming more important and more valuable all the time. Security breaches can be costly, even shutting businesses and governments down, so security leadership is a high-stakes game. Leading teams of hackers is not always easy, but the future of your organization may depend on it. In this book, the world’s top security experts answer the questions that Chief Information Security Officers and other security leaders are asking, including: What’s the most important decision you’ve made or action you’ve taken to enable a business risk? How do you lead your team to execute and get results? Do you have a workforce philosophy or unique approach to talent acquisition? Have you created a cohesive strategy for your information security program or business unit? https://smile.amazon.com/Tribe-Hackers-Blue-Team-Cybersecurity/dp/1119643414 - Blue Book (OUT SOON!) Tribe of Hackers Blue Team goes beyond the bestselling, original Tribe of Hackers book and delves into detail on defensive and preventative techniques. Learn how to grapple with the issues that hands-on security experts and security managers are sure to build into their blue team exercises. Discover what it takes to get started building blue team skills Learn how you can defend against physical and technical penetration testing Understand the techniques that advanced red teamers use against high-value targets Identify the most important tools to master as a blue teamer Explore ways to harden systems against red team attacks Stand out from the competition as you work to advance your cybersecurity career Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Conversations around data and privacy are already dominating conversations in 2020. We have already discussed the impacts of the California Consumer Privacy Act CCPA and GGDPR on yesterday's episode, and today I want to explore how businesses should prioritize data risks to their business. I chat with Roger Hales, who has become the CISO-in Residence at YL Ventures. The former Chief Information Security Officer of Informatica - a $1+ billion annual revenue software development company talks about the role of the CISO and how he has seen the role evolve. YL Ventures funds and supports brilliant Israeli tech entrepreneurs from seed to lead. Based in Silicon Valley and Tel Aviv, YL Ventures manages $260 million focused on deep-technology sectors and specializes in cybersecurity. YL Ventures accelerates the evolution of portfolio companies via strategic advice and U.S.-based operational execution, leveraging a powerful network of Chief Information Security Officers and global industry leaders. The firm's track record includes successful, high-profile portfolio company acquisitions by major corporations, including Palo Alto Networks, Microsoft, CA, and Proofpoint. Roger Hale is YL Ventures' CISO-in-Residence. In this role, he imparts his 30 years of industry experience towards the firm's due diligence process by vetting candidates and concepts in the pipeline and its value-add services to its portfolio companies. Roger proactively supports the ideation processes of up and coming entrepreneurs, advises them on the industry's greenfield opportunities, and helps YL Venture portfolio companies remove communication roadblocks with customers, refine their positioning, and validate their go-to-market strategies. Previously, Roger directed and managed the global information security, risk, and compliance of some of hi-tech's most notable players. Most recently, this included his position as VP and CISO at Informatica. Prior to this, he served as CISO at Inkling Systems, Senior Director of Security Architecture and Engineering at Symantec, and the first ISO at Brocade Communications. Roger's legacy in technology and information security extends across multiple verticals, including financial services, healthcare, eCommerce, biotech, and education. He has a proven track record of delivering effective strategies that align information lifecycle management with specialized business objectives, information assurance, and risk management.
Two top Chief Information Security Officers explore key topics on cyber-security. Industry Analyst, Michael Krigsman, speaks with two female experts (Tammy Moskites and Jo Stewart-Rattray) in this male-dominated field.
Two top Chief Information Security Officers explore key topics on cyber-security. Industry Analyst, Michael Krigsman, speaks with two female experts (Tammy Moskites and Jo Stewart-Rattray) in this male-dominated field.
Two top Chief Information Security Officers explore key topics on cyber-security. Industry Analyst, Michael Krigsman, speaks with two female experts in this male-dominated field.Tammy Moskites is a Managing Director and Senior Security Executive at Accenture. She has 30 years of experience with expertise envisioning, building and leading security, technology and operational support organizations within many sectors. Jo Stewart-Rattray has over 25 years’ experience in the IT field some of which were spent as CIO in the Utilities space, and 18 in the Information Security arena.
Two top Chief Information Security Officers explore key topics on cyber-security. Industry Analyst, Michael Krigsman, speaks with two female experts in this male-dominated field.Tammy Moskites is a Managing Director and Senior Security Executive at Accenture. She has 30 years of experience with expertise envisioning, building and leading security, technology and operational support organizations within many sectors. Jo Stewart-Rattray has over 25 years’ experience in the IT field some of which were spent as CIO in the Utilities space, and 18 in the Information Security arena.
David Bauer I Helping to bring Morgan Stanley’s first website online and at Merrill Lynch being the first major bank to outsource major security services, David has been working professionally with IT security since the late 1980s, being a pioneer in the security field. Our conversation explored his history as one of the first Chief Information Security Officers on Wall Street, from his experience at Bell Labs through Wall Street and his current advisory work. He discusses the role of regulations helping companies improve their security, and shares valuable insights to help small and medium size businesses.
Black Hat Briefings, Las Vegas 2005 [Video] Presentations from the security conference
Jeff Moss, founder of Black Hat, invites Chief Information Security Officers from global corporations to join him on stage for a unique set of questions and answers. What do CISOs think of Black Hat, David Litchfield, Dan Kaminsky, Joe Grand, Johnny Long, Metasploit, and DEFCON? How many years before deperimeterization is a reality? Is security research more helpful or harmful to the economy? What privacy practices do CISOs personally use? These questions and others from the audience will be fielded by this panel of security visionaries. Scott Blake is Chief Information Security Officer for Liberty Mutual Insurance Group and is responsible for information security strategy and policy. Prior to joining Liberty, Scott was Vice President of Information Security for BindView Corporation where he founded the RAZOR security research team and directed security technology, market, and public affairs strategy. Scott has delivered many lectures on all aspects of information security and is frequently sought by the press for expert commentary. Since 1993, Scott has also worked as a security consultant, IT director, and network engineer. He holds an MA in Sociology from Brandeis University, a BA in Social Sciences from Simon's Rock College, and holds the CISM and CISSP security certifications. Pamela Fusco, CISSP, CISM, CHS-III, Chief Security Officer, Merck and Co., Inc. Pamela Fusco is an Executive Global Information Security Professional, for Merck and CO., Inc. She has accumulated over 19 years of substantial experience within the Security Industry. Her extensive background and expertise expand globally encompassing all facets of security inclusive of logical, physical, personal, facilities, systems, networks, wireless, and forensic investigations. Presently she leads a talented team of Compliance, Systems and Information Security Engineers operating a world-wide 24X7X365 SIRT (security incident response team). Andre Gold is currently Director of Information Security at Continental Airlines, one of the world's largest and most successful commercial and freight transportation providers. Before assuming his current role, Mr. Gold served as Technical Director of Internet Services, responsible for Continental's continental.com property, which contributes over a billion dollars a year in revenue for Continental. Prior to Continental Airlines, Inc. Mr. Gold worked as a consultant in the IT industry. Mr. Gold has a BBA in Computer Information Systems from the University of Houston-Downtown and received his commission in the Army from Wentworth Military Academy. In addition to his position at Continental, Mr. Gold servers on the Microsoft Chief Security Officer Council, the Skyteam Data Privacy and Security Subcommittee, as well as eEye Digital Security's Executive Advisory Council. Ken Pfeil is CSO at Capital IQ, a web-based information service company headquartered in New York City. His experience spans over two decades with companies such as Microsoft, Dell, Avaya, Identix, and Merrill Lynch. Ken is coauthor of the books "Hack Proofing Your Network - 2nd Edition" and "Stealing the Network - How to Own the Box," and a contributing author of "Security Planning and Disaster Recovery" and "Network Security - The Complete Reference." Justin Somaini is Director of Information Security at VeriSign Inc. where he is responsible for managing all aspects of network and information security for VeriSign. With over 10 years of Information Security and Corporate Audit experience, Justin has leveraged his knowledge of audit and large organizations to remediate global infrastructure problems and create a full risk identification and remediation Information Security group. Previously, Justin was the Director of Information Security Services for Charles Schwab Inc., where he was responsible for all aspects of Information Security Operations. Before that he was a Manager with PricewaterhouseCoopers LLP where he spent several years developing their attack and penetration leadership and audit practice.>
Black Hat Briefings, Las Vegas 2005 [Audio] Presentations from the security conference
Jeff Moss, founder of Black Hat, invites Chief Information Security Officers from global corporations to join him on stage for a unique set of questions and answers. What do CISOs think of Black Hat, David Litchfield, Dan Kaminsky, Joe Grand, Johnny Long, Metasploit, and DEFCON? How many years before deperimeterization is a reality? Is security research more helpful or harmful to the economy? What privacy practices do CISOs personally use? These questions and others from the audience will be fielded by this panel of security visionaries. Scott Blake is Chief Information Security Officer for Liberty Mutual Insurance Group and is responsible for information security strategy and policy. Prior to joining Liberty, Scott was Vice President of Information Security for BindView Corporation where he founded the RAZOR security research team and directed security technology, market, and public affairs strategy. Scott has delivered many lectures on all aspects of information security and is frequently sought by the press for expert commentary. Since 1993, Scott has also worked as a security consultant, IT director, and network engineer. He holds an MA in Sociology from Brandeis University, a BA in Social Sciences from Simon's Rock College, and holds the CISM and CISSP security certifications. Pamela Fusco, CISSP, CISM, CHS-III, Chief Security Officer, Merck and Co., Inc. Pamela Fusco is an Executive Global Information Security Professional, for Merck and CO., Inc. She has accumulated over 19 years of substantial experience within the Security Industry. Her extensive background and expertise expand globally encompassing all facets of security inclusive of logical, physical, personal, facilities, systems, networks, wireless, and forensic investigations. Presently she leads a talented team of Compliance, Systems and Information Security Engineers operating a world-wide 24X7X365 SIRT (security incident response team). Andre Gold is currently Director of Information Security at Continental Airlines, one of the world's largest and most successful commercial and freight transportation providers. Before assuming his current role, Mr. Gold served as Technical Director of Internet Services, responsible for Continental's continental.com property, which contributes over a billion dollars a year in revenue for Continental. Prior to Continental Airlines, Inc. Mr. Gold worked as a consultant in the IT industry. Mr. Gold has a BBA in Computer Information Systems from the University of Houston-Downtown and received his commission in the Army from Wentworth Military Academy. In addition to his position at Continental, Mr. Gold servers on the Microsoft Chief Security Officer Council, the Skyteam Data Privacy and Security Subcommittee, as well as eEye Digital Security's Executive Advisory Council. Ken Pfeil is CSO at Capital IQ, a web-based information service company headquartered in New York City. His experience spans over two decades with companies such as Microsoft, Dell, Avaya, Identix, and Merrill Lynch. Ken is coauthor of the books "Hack Proofing Your Network - 2nd Edition" and "Stealing the Network - How to Own the Box," and a contributing author of "Security Planning and Disaster Recovery" and "Network Security - The Complete Reference." Justin Somaini is Director of Information Security at VeriSign Inc. where he is responsible for managing all aspects of network and information security for VeriSign. With over 10 years of Information Security and Corporate Audit experience, Justin has leveraged his knowledge of audit and large organizations to remediate global infrastructure problems and create a full risk identification and remediation Information Security group. Previously, Justin was the Director of Information Security Services for Charles Schwab Inc., where he was responsible for all aspects of Information Security Operations. Before that he was a Manager with PricewaterhouseCoopers LLP where he spent several years developing their attack and penetration leadership and audit practice.>